One evening, over a glass of Lviv beer together with hacktivists from UkrainianCyberAlliance (UCA) and CyberHunta we took up the issue of blocking Russian social media in Ukraine. All our agreed that VK and Odnoklassniki are platforms tailored to spread Russian propaganda and disinformation in Ukraine’s media environment and that they are one of the main weapons wielded by Russia’s military and political leadership in its hybrid aggression against Ukraine and other countries.

In the conversation, one of the hacktivists mentioned an interesting story or, should we say, a small operation aimed at identifying a vocal anti-Ukrainian advocate and a prolific administrator of separatist groups on social media in charge of more than twenty active groups with more than 400,000 subscribers. Just think of it! 400,000 users, of whom more than 70% are Ukraine’s nationals. Since late 2013, all of them were fed weaponized information from the “active measures” experts with the blessing and backing of Russian politicians, members of parliament and oligarchs connected to the government.

With the blessing of our hacktivist friends we decided to make a detailed piece about this pinpoint operation. Before reading this story, you are well advised to read our previous materials on this subject [1], [2], [3], [4].

The case in point is Marfa Vasilyevna, a notorious administrator of separatist groups on social media. She managed more than twenty active anti-Ukrainian groups on VK and Odnoklassniki social networks, including IA Novorossia, MIA Novorossia, Novorossia Today, Antimaidan, Novorossia | SaveDonbassPeople | Antimaidan, Novorossia, Donetsk | Lugansk | Novorossia.

An effective clue for the identification of a real person behind Marfa’s anonymous account came from the work-related chat of Luhansk and Donetsk People’s Republics (LPR/DPR) propaganda officers, which had been hacked earlier. With some sadness, Marfa reported that the updated list of journalists accredited by the DPR, which was published on Myrotvorets site, contained her data and that of her husband.

It meant that there was Marfa’s real personal data somewhere among 5,000 records on the list. That was interesting enough, and hacktivists supported by Myrotvorets staff started their long journey through the hacked chat of Novorosinform staffers in the quest for some workable clues. Having reviewed what turned out later to be Marfa’s close contacts [1], [2], they managed to find out her e-mail address and phone number:

The search for letyaga-ya@yandex.ru e-mail address on social media returned a Facebook page of Katia Borzova.

The search for “Borzova” in the published list of journalists returned the following record:

The last and first names, as well as the phone number, are the same. However, a different e-mail address was indicated on the list of accredited journalists: solnushkovasilek-8886@yandex.ru. The name of the owner of this e-mail account was indicated as Katia Stetsenko in one of the documents handed over for analysis. The same e-mail account is linked to the VK account of Yekaterina Morozova.

So, we have now two e-mail accounts and three Yekaterinas (Ed.: or Katias, informally): Borzova, Morozova, and Stetsenko. Confusing, isn’t it? But do you remember that Katia mentioned her husband in the chat with colleagues? The search for one of the last names produced Denys Stetsenko mentioned in the dump files as DNR Television and Radio Company’s video engineer and an employee of Radio Respublika.

There were too many Stetsenko’s on social media, so the hacktivists opted for a different approach. They broke into the e-mail account of the editor-in-chief of Radio Respublika, a propaganda outlet where Stetsenko used to work earlier, and requested Denys’ information from the HR department allegedly for the “Ministry of State Security” in her name.

Then encouraged by the account owner’s hospitality, they also decided to chat on Facebook with other HR specialists of the radio station… …And found out that Katia and Denys had recently been interrogated by the DPR “Ministry of State Security” because of a publication discrediting Zakharchenko.

By joint effort, they located the account of Denys, Katia’s partner. There, they found a page of Katia Borzova renamed later into Yekaterina Morozova. Her photos had been deleted from the account earlier but were found on websites with VK page caches. It can be seen that the young woman’s hair hue is the same as the woman’s featured on the photo with the chief terrorist Zakharchenko. This photo was uploaded into Marfa Vasilyevna’s photo album.

After that, UCA’s hacktivists went all-in by posing as an officer of the DPR “Ministry of State Security” and requesting passport copies of Denys and Marfa via hacked VK account of another recruiter Vladimir Yezepchuk.

When Stetsenko friended Yezepchuk, hacktivists found out how old Yekaterina was. Of course, they did not get the passport scans. However, a mention of a conversation with Radio Respublika’s editor-in-chief about Denys’ personal data, he reluctantly acknowledged he knew Yekaterina and was prepared to invite her to chat online.

Hacktivists contacted Borzova (and Denys phoned her with a request to go online on VK). It was easy as pie to confirm that this was the actual person running the Marfa account. The “split personality” of Katia-Marfa became split even more when some Elena was mentioned who had co-managed the Marfa account together with Yekaterina. One becomes really inventive in order not to end up “in the dungeon”. Interestingly, Yekaterina had already been interrogated by the “Ministry of State Security” regarding her social media accounts and her activity on social media.

And that was it! Meet Yekaterina Sergeievna Borzova, (Ed.: the name is spelled in transliteration from Russian, as she would definitely prefer) born on: February 17, 1988, tax identification number: 3234303709, registered address of residence: 2 Vulytsia Varhanova, apartment 26, Mariupol, Donetsk Region.

Google confirms that a female code-named “Marfa” used to recruit militants and informers in Donbas in 2014 and 2015 in the occupied territories. We have grounds to believe now that this “Marfa” is the same Yekaterina Borzova. However, it is up to the Ukrainian intelligence and law enforcement agencies to establish it.

Disclaimer:

Evidence data was exclusively provided to InformNapalm by the hacktivists of the Ukrainian Cyber Alliance. InformNapalm Community bears no responsibility for the sources and origin of the data.” 

This publication was prepared by Mikhail Kuznetsov specially for InformNapalm.

Translated by Oleksandr Ivanov, edited by Artem Velichko
An active link to the authors and our project is obligatory for any reprint or further public use of the material.
(Creative Commons — Attribution 4.0 International — CC BY 4.0)
Repost and share with friends.
For notifications about InformNapalm investigations follow us on Facebook, Twitter and Telegram.